3 * Bulk crypto transformations
5 * (c) 2014 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Trivial IP Encryption (TrIPE).
12 * TrIPE is free software: you can redistribute it and/or modify it under
13 * the terms of the GNU General Public License as published by the Free
14 * Software Foundation; either version 3 of the License, or (at your
15 * option) any later version.
17 * TrIPE is distributed in the hope that it will be useful, but WITHOUT
18 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
19 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
26 /*----- Header files ------------------------------------------------------*/
30 /*----- Utilities ---------------------------------------------------------*/
32 #define SEQSZ 4 /* Size of sequence number packet */
34 #define TRACE_IV(qiv, ivsz) do { IF_TRACING(T_KEYSET, { \
35 trace_block(T_CRYPTO, "crypto: initialization vector", \
39 #define TRACE_CT(qpk, sz) do { IF_TRACING(T_KEYSET, { \
40 trace_block(T_CRYPTO, "crypto: encrypted packet", (qpk), (sz)); \
43 #define TRACE_MAC(qmac, tagsz) do { IF_TRACING(T_KEYSET, { \
44 trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz)); \
47 #define TRACE_MACERR(pmac, tagsz) do { IF_TRACING(T_KEYSET, { \
48 trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \
49 trace_block(T_CRYPTO, "crypto: provided MAC", (pmac), (tagsz)); \
52 /* --- @derivekey@ --- *
54 * Arguments: @octet *k@ = pointer to an output buffer of at least
56 * @size_t ksz@ = actual size wanted (for tracing)
57 * @const deriveargs@ = derivation parameters, as passed into
59 * @int dir@ = direction for the key (@DIR_IN@ or @DIR_OUT@)
60 * @const char *what@ = label for the key (input to derivation)
64 * Use: Derives a session key, for use on incoming or outgoing data.
67 static void derivekey(octet
*k
, size_t ksz
, const deriveargs
*a
,
68 int dir
, const char *what
)
70 const gchash
*hc
= a
->hc
;
73 assert(ksz
<= hc
->hashsz
);
74 assert(hc
->hashsz
<= MAXHASHSZ
);
76 GH_HASH(h
, a
->what
, strlen(a
->what
)); GH_HASH(h
, what
, strlen(what
) + 1);
79 if (a
->x
) GH_HASH(h
, a
->k
, a
->x
);
80 if (a
->y
!= a
->x
) GH_HASH(h
, a
->k
+ a
->x
, a
->y
- a
->x
);
83 if (a
->y
!= a
->x
) GH_HASH(h
, a
->k
+ a
->x
, a
->y
- a
->x
);
84 if (a
->x
) GH_HASH(h
, a
->k
, a
->x
);
89 GH_HASH(h
, a
->k
+ a
->y
, a
->z
- a
->y
);
92 IF_TRACING(T_KEYSET
, { IF_TRACING(T_CRYPTO
, {
94 sprintf(_buf
, "crypto: %s key %s", dir ?
"outgoing" : "incoming", what
);
95 trace_block(T_CRYPTO
, _buf
, k
, ksz
);
99 /*----- Common functionality for generic-composition transforms -----------*/
101 #define CHECK_MAC(h, pmac, tagsz) do { \
103 const octet *_pmac = (pmac); \
104 size_t _tagsz = (tagsz); \
105 octet *_mac = GH_DONE(_h, 0); \
106 int _eq = ct_memeq(_mac, _pmac, _tagsz); \
107 TRACE_MAC(_mac, _tagsz); \
110 TRACE_MACERR(_pmac, _tagsz); \
111 return (KSERR_DECRYPT); \
115 typedef struct gencomp_algs
{
116 const gccipher
*c
; size_t cksz
;
117 const gcmac
*m
; size_t mksz
; size_t tagsz
;
120 typedef struct gencomp_chal
{
125 static int gencomp_getalgs(gencomp_algs
*a
, const algswitch
*asw
,
126 dstr
*e
, key_file
*kf
, key
*k
)
134 /* --- Symmetric encryption --- */
136 if ((p
= key_getattr(kf
, k
, "cipher")) == 0) p
= "blowfish-cbc";
137 if ((a
->c
= gcipher_byname(p
)) == 0) {
138 a_format(e
, "unknown-cipher", "%s", p
, A_END
);
142 /* --- Message authentication --- */
144 if ((p
= key_getattr(kf
, k
, "mac")) != 0) {
147 if ((q
= strrchr(d
.buf
, '/')) != 0)
149 if ((a
->m
= gmac_byname(d
.buf
)) == 0) {
150 a_format(e
, "unknown-mac", "%s", d
.buf
, A_END
);
154 a
->tagsz
= a
->m
->hashsz
;
156 n
= strtoul(q
, &qq
, 0);
158 a_format(e
, "bad-tag-length-string", "%s", q
, A_END
);
161 if (n
%8 || n
/8 > a
->m
->hashsz
) {
162 a_format(e
, "bad-tag-length", "%lu", n
, A_END
);
169 dstr_putf(&d
, "%s-hmac", asw
->h
->name
);
170 if ((a
->m
= gmac_byname(d
.buf
)) == 0) {
171 a_format(e
, "no-hmac-for-hash", "%s", asw
->h
->name
, A_END
);
174 a
->tagsz
= asw
->h
->hashsz
/2;
184 static void gencomp_tracealgs(const gencomp_algs
*a
)
186 trace(T_CRYPTO
, "crypto: cipher = %s", a
->c
->name
);
187 trace(T_CRYPTO
, "crypto: mac = %s/%lu",
188 a
->m
->name
, (unsigned long)a
->tagsz
* 8);
192 static int gencomp_checkalgs(gencomp_algs
*a
, const algswitch
*asw
, dstr
*e
)
194 /* --- Derive the key sizes --- *
196 * Must ensure that we have non-empty keys. This isn't ideal, but it
197 * provides a handy sanity check. Also must be based on a 64- or 128-bit
198 * block cipher or we can't do the data expiry properly.
201 if ((a
->cksz
= keysz(asw
->hashsz
, a
->c
->keysz
)) == 0) {
202 a_format(e
, "cipher", "%s", a
->c
->name
,
203 "no-key-size", "%lu", (unsigned long)asw
->hashsz
,
207 if ((a
->mksz
= keysz(asw
->hashsz
, a
->m
->keysz
)) == 0) {
208 a_format(e
, "mac", "%s", a
->m
->name
,
209 "no-key-size", "%lu", (unsigned long)asw
->hashsz
,
217 static void gencomp_alginfo(const gencomp_algs
*a
, admin
*adm
)
220 "cipher=%s", a
->c
->name
,
221 "cipher-keysz=%lu", (unsigned long)a
->cksz
,
222 "cipher-blksz=%lu", (unsigned long)a
->c
->blksz
,
225 "mac=%s", a
->m
->name
,
226 "mac-keysz=%lu", (unsigned long)a
->mksz
,
227 "mac-tagsz=%lu", (unsigned long)a
->tagsz
,
231 static int gencomp_samealgsp(const gencomp_algs
*a
, const gencomp_algs
*aa
)
233 return (a
->c
== aa
->c
&&
234 a
->m
== aa
->m
&& a
->tagsz
== aa
->tagsz
);
237 static size_t gencomp_expsz(const gencomp_algs
*a
)
238 { return (a
->c
->blksz
< 16 ?
MEG(64) : MEG(2048)); }
240 static bulkchal
*gencomp_genchal(const gencomp_algs
*a
)
242 gencomp_chal
*gc
= CREATE(gencomp_chal
);
244 rand_get(RAND_GLOBAL
, buf_t
, a
->mksz
);
245 gc
->m
= GM_KEY(a
->m
, buf_t
, a
->mksz
);
246 gc
->_b
.tagsz
= a
->tagsz
;
248 trace(T_CHAL
, "chal: generated new challenge key");
249 trace_block(T_CRYPTO
, "chal: new key", buf_t
, a
->mksz
);
254 static int gencomp_chaltag(bulkchal
*bc
, const void *m
, size_t msz
,
257 gencomp_chal
*gc
= (gencomp_chal
*)bc
;
258 ghash
*h
= GM_INIT(gc
->m
);
260 GH_HASHU32(h
, seq
); if (msz
) GH_HASH(h
, m
, msz
);
261 memcpy(t
, GH_DONE(h
, 0), bc
->tagsz
);
266 static int gencomp_chalvrf(bulkchal
*bc
, const void *m
, size_t msz
,
267 uint32 seq
, const void *t
)
269 gencomp_chal
*gc
= (gencomp_chal
*)bc
;
270 ghash
*h
= GM_INIT(gc
->m
);
273 GH_HASHU32(h
, seq
); if (msz
) GH_HASH(h
, m
, msz
);
274 ok
= ct_memeq(GH_DONE(h
, 0), t
, gc
->_b
.tagsz
);
276 return (ok ?
0 : -1);
279 static void gencomp_freechal(bulkchal
*bc
)
280 { gencomp_chal
*gc
= (gencomp_chal
*)bc
; GM_DESTROY(gc
->m
); DESTROY(gc
); }
282 /*----- The original transform --------------------------------------------*
284 * We generate a random initialization vector (if the cipher needs one). We
285 * encrypt the input message with the cipher, and format the type, sequence
286 * number, IV, and ciphertext as follows.
288 * +--------+ +--------+---...---+------...------+
289 * | type | | seq | iv | ciphertext |
290 * +--------+ +--------+---...---+------...------+
293 * All of this is fed into the MAC to compute a tag. The type is not
294 * transmitted: the other end knows what type of message it expects, and the
295 * type is only here to prevent us from being confused because some other
296 * kind of ciphertext has been substituted. The tag is prepended to the
297 * remainder, to yield the finished cryptogram, as follows.
299 * +---...---+--------+---...---+------...------+
300 * | tag | seq | iv | ciphertext |
301 * +---...---+--------+---...---+------...------+
304 * Decryption: checks the overall size, verifies the tag, then decrypts the
305 * ciphertext and extracts the sequence number.
307 * Challenge tags are calculated by applying the MAC to the sequence number
308 * and message, concatenated as follows.
310 * +--------+---...---+
312 * +--------+---...---+
316 typedef struct v0_algs
{
321 typedef struct v0_ctx
{
330 static bulkalgs
*v0_getalgs(const algswitch
*asw
, dstr
*e
,
331 key_file
*kf
, key
*k
)
333 v0_algs
*a
= CREATE(v0_algs
);
334 if (gencomp_getalgs(&a
->ga
, asw
, e
, kf
, k
)) { DESTROY(a
); return (0); }
339 static void v0_tracealgs(const bulkalgs
*aa
)
340 { const v0_algs
*a
= (const v0_algs
*)aa
; gencomp_tracealgs(&a
->ga
); }
343 static int v0_checkalgs(bulkalgs
*aa
, const algswitch
*asw
, dstr
*e
)
345 v0_algs
*a
= (v0_algs
*)aa
;
346 if (gencomp_checkalgs(&a
->ga
, asw
, e
)) return (-1);
350 static int v0_samealgsp(const bulkalgs
*aa
, const bulkalgs
*bb
)
352 const v0_algs
*a
= (const v0_algs
*)aa
, *b
= (const v0_algs
*)bb
;
353 return (gencomp_samealgsp(&a
->ga
, &b
->ga
));
356 static void v0_alginfo(const bulkalgs
*aa
, admin
*adm
)
357 { const v0_algs
*a
= (const v0_algs
*)aa
; gencomp_alginfo(&a
->ga
, adm
); }
359 static size_t v0_overhead(const bulkalgs
*aa
)
361 const v0_algs
*a
= (const v0_algs
*)aa
;
362 return (a
->ga
.tagsz
+ SEQSZ
+ a
->ga
.c
->blksz
);
365 static size_t v0_expsz(const bulkalgs
*aa
)
366 { const v0_algs
*a
= (const v0_algs
*)aa
; return (gencomp_expsz(&a
->ga
)); }
368 static bulkctx
*v0_genkeys(const bulkalgs
*aa
, const deriveargs
*da
)
370 const v0_algs
*a
= (const v0_algs
*)aa
;
371 v0_ctx
*bc
= CREATE(v0_ctx
);
375 bc
->tagsz
= a
->ga
.tagsz
;
376 for (i
= 0; i
< NDIR
; i
++) {
377 if (!(da
->f
&(1 << i
))) { bc
->d
[i
].c
= 0; bc
->d
[i
].m
= 0; continue; }
378 derivekey(k
, a
->ga
.cksz
, da
, i
, "encryption");
379 bc
->d
[i
].c
= GC_INIT(a
->ga
.c
, k
, a
->ga
.cksz
);
380 derivekey(k
, a
->ga
.mksz
, da
, i
, "integrity");
381 bc
->d
[i
].m
= GM_KEY(a
->ga
.m
, k
, a
->ga
.mksz
);
386 static bulkchal
*v0_genchal(const bulkalgs
*aa
)
388 const v0_algs
*a
= (const v0_algs
*)aa
;
389 return (gencomp_genchal(&a
->ga
));
391 #define v0_chaltag gencomp_chaltag
392 #define v0_chalvrf gencomp_chalvrf
393 #define v0_freechal gencomp_freechal
395 static void v0_freealgs(bulkalgs
*aa
)
396 { v0_algs
*a
= (v0_algs
*)aa
; DESTROY(a
); }
398 static void v0_freectx(bulkctx
*bbc
)
400 v0_ctx
*bc
= (v0_ctx
*)bbc
;
403 for (i
= 0; i
< NDIR
; i
++) {
404 if (bc
->d
[i
].c
) GC_DESTROY(bc
->d
[i
].c
);
405 if (bc
->d
[i
].m
) GM_DESTROY(bc
->d
[i
].m
);
410 static int v0_encrypt(bulkctx
*bbc
, unsigned ty
,
411 buf
*b
, buf
*bb
, uint32 seq
)
413 v0_ctx
*bc
= (v0_ctx
*)bbc
;
415 gcipher
*c
= bc
->d
[DIR_OUT
].c
;
416 const octet
*p
= BCUR(b
);
417 size_t sz
= BLEFT(b
);
418 octet
*qmac
, *qseq
, *qiv
, *qpk
;
420 size_t tagsz
= bc
->tagsz
;
424 ivsz
= GC_CLASS(c
)->blksz
;
426 /* --- Determine the ciphertext layout --- */
428 if (buf_ensure(bb
, tagsz
+ SEQSZ
+ ivsz
+ sz
)) return (0);
429 qmac
= BCUR(bb
); qseq
= qmac
+ tagsz
; qiv
= qseq
+ SEQSZ
; qpk
= qiv
+ ivsz
;
430 BSTEP(bb
, tagsz
+ SEQSZ
+ ivsz
+ sz
);
432 /* --- Store the type --- *
434 * This isn't transmitted, but it's covered by the MAC.
439 /* --- Store the sequence number --- */
443 /* --- Establish an initialization vector if necessary --- */
446 rand_get(RAND_GLOBAL
, qiv
, ivsz
);
451 /* --- Encrypt the packet --- */
453 GC_ENCRYPT(c
, p
, qpk
, sz
);
456 /* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */
459 h
= GM_INIT(bc
->d
[DIR_OUT
].m
);
460 GH_HASH(h
, t
, sizeof(t
));
461 GH_HASH(h
, qseq
, SEQSZ
+ ivsz
+ sz
);
462 memcpy(qmac
, GH_DONE(h
, 0), tagsz
);
464 TRACE_MAC(qmac
, tagsz
);
467 /* --- We're done --- */
472 static int v0_decrypt(bulkctx
*bbc
, unsigned ty
,
473 buf
*b
, buf
*bb
, uint32
*seq
)
475 v0_ctx
*bc
= (v0_ctx
*)bbc
;
476 const octet
*pmac
, *piv
, *pseq
, *ppk
;
477 size_t psz
= BLEFT(b
);
481 gcipher
*c
= bc
->d
[DIR_IN
].c
;
483 size_t tagsz
= bc
->tagsz
;
487 ivsz
= GC_CLASS(c
)->blksz
;
489 /* --- Break up the packet into its components --- */
491 if (psz
< ivsz
+ SEQSZ
+ tagsz
) {
492 T( trace(T_KEYSET
, "keyset: block too small for keyset"); )
493 return (KSERR_MALFORMED
);
495 sz
= psz
- ivsz
- SEQSZ
- tagsz
;
496 pmac
= BCUR(b
); pseq
= pmac
+ tagsz
; piv
= pseq
+ SEQSZ
; ppk
= piv
+ ivsz
;
499 /* --- Verify the MAC on the packet --- */
502 h
= GM_INIT(bc
->d
[DIR_IN
].m
);
503 GH_HASH(h
, t
, sizeof(t
));
504 GH_HASH(h
, pseq
, SEQSZ
+ ivsz
+ sz
);
505 CHECK_MAC(h
, pmac
, tagsz
);
508 /* --- Decrypt the packet --- */
514 GC_DECRYPT(c
, ppk
, q
, sz
);
516 /* --- Finished --- */
523 /*----- The implicit-IV transform -----------------------------------------*
525 * The v0 transform makes everything explicit. There's an IV because the
526 * cipher needs an IV; there's a sequence number because replay prevention
527 * needs a sequence number.
529 * This new transform works rather differently. We make use of a block
530 * cipher to encrypt the sequence number, and use that as the IV. We
531 * transmit the sequence number in the clear, as before. This reduces
532 * overhead; and it's not a significant privacy leak because the adversary
533 * can see the order in which the messages are transmitted -- i.e., the
534 * sequence numbers are almost completely predictable anyway.
536 * So, a MAC is computed over
538 * +--------+ +--------+------...------+
539 * | type | | seq | ciphertext |
540 * +--------+ +--------+------...------+
543 * and we actually transmit the following as the cryptogram.
545 * +---...---+------+------...------+
546 * | tag | seq | ciphertext |
547 * +---...---+------+------...------+
550 * Challenge tags are calculated by applying the MAC to the sequence number
551 * and message, concatenated as follows.
553 * +--------+---...---+
555 * +--------+---...---+
559 typedef struct iiv_algs
{
562 const gccipher
*b
; size_t bksz
;
565 typedef struct iiv_ctx
{
575 static bulkalgs
*iiv_getalgs(const algswitch
*asw
, dstr
*e
,
576 key_file
*kf
, key
*k
)
578 iiv_algs
*a
= CREATE(iiv_algs
);
579 dstr d
= DSTR_INIT
, dd
= DSTR_INIT
;
583 if (gencomp_getalgs(&a
->ga
, asw
, e
, kf
, k
)) goto fail
;
585 if ((p
= key_getattr(kf
, k
, "blkc")) == 0) {
586 dstr_puts(&dd
, a
->ga
.c
->name
);
587 if ((q
= strrchr(dd
.buf
, '-')) != 0) *q
= 0;
590 dstr_putf(&d
, "%s-ecb", p
);
591 if ((a
->b
= gcipher_byname(d
.buf
)) == 0) {
592 a_format(e
, "unknown-blkc", "%s", p
, A_END
);
596 dstr_destroy(&d
); dstr_destroy(&dd
);
599 dstr_destroy(&d
); dstr_destroy(&dd
);
605 static void iiv_tracealgs(const bulkalgs
*aa
)
607 const iiv_algs
*a
= (const iiv_algs
*)aa
;
609 gencomp_tracealgs(&a
->ga
);
611 "crypto: blkc = %.*s", (int)strlen(a
->b
->name
) - 4, a
->b
->name
);
615 static int iiv_checkalgs(bulkalgs
*aa
, const algswitch
*asw
, dstr
*e
)
617 iiv_algs
*a
= (iiv_algs
*)aa
;
619 if (gencomp_checkalgs(&a
->ga
, asw
, e
)) return (-1);
621 if ((a
->bksz
= keysz(asw
->hashsz
, a
->b
->keysz
)) == 0) {
622 a_format(e
, "blkc", "%.*s", strlen(a
->b
->name
) - 4, a
->b
->name
,
623 "no-key-size", "%lu", (unsigned long)asw
->hashsz
,
627 if (a
->b
->blksz
< a
->ga
.c
->blksz
) {
628 a_format(e
, "blkc", "%.*s", strlen(a
->b
->name
) - 4, a
->b
->name
,
629 "blksz-insufficient", A_END
);
635 static int iiv_samealgsp(const bulkalgs
*aa
, const bulkalgs
*bb
)
637 const iiv_algs
*a
= (const iiv_algs
*)aa
, *b
= (const iiv_algs
*)bb
;
638 return (gencomp_samealgsp(&a
->ga
, &b
->ga
) && a
->b
== b
->b
);
641 static void iiv_alginfo(const bulkalgs
*aa
, admin
*adm
)
643 const iiv_algs
*a
= (const iiv_algs
*)aa
;
644 gencomp_alginfo(&a
->ga
, adm
);
646 "blkc=%.*s", strlen(a
->b
->name
) - 4, a
->b
->name
,
647 "blkc-keysz=%lu", (unsigned long)a
->bksz
,
648 "blkc-blksz=%lu", (unsigned long)a
->b
->blksz
,
652 static size_t iiv_overhead(const bulkalgs
*aa
)
653 { const iiv_algs
*a
= (const iiv_algs
*)aa
; return (a
->ga
.tagsz
+ SEQSZ
); }
655 static size_t iiv_expsz(const bulkalgs
*aa
)
657 const iiv_algs
*a
= (const iiv_algs
*)aa
;
658 return (gencomp_expsz(&a
->ga
));
661 static bulkctx
*iiv_genkeys(const bulkalgs
*aa
, const deriveargs
*da
)
663 const iiv_algs
*a
= (const iiv_algs
*)aa
;
664 iiv_ctx
*bc
= CREATE(iiv_ctx
);
668 bc
->tagsz
= a
->ga
.tagsz
;
669 for (i
= 0; i
< NDIR
; i
++) {
670 if (!(da
->f
&(1 << i
)))
671 { bc
->d
[i
].c
= 0; bc
->d
[i
].b
= 0; bc
->d
[i
].m
= 0; continue; }
672 derivekey(k
, a
->ga
.cksz
, da
, i
, "encryption");
673 bc
->d
[i
].c
= GC_INIT(a
->ga
.c
, k
, a
->ga
.cksz
);
674 derivekey(k
, a
->bksz
, da
, i
, "blkc");
675 bc
->d
[i
].b
= GC_INIT(a
->b
, k
, a
->bksz
);
676 derivekey(k
, a
->ga
.mksz
, da
, i
, "integrity");
677 bc
->d
[i
].m
= GM_KEY(a
->ga
.m
, k
, a
->ga
.mksz
);
682 static bulkchal
*iiv_genchal(const bulkalgs
*aa
)
684 const iiv_algs
*a
= (const iiv_algs
*)aa
;
685 return (gencomp_genchal(&a
->ga
));
687 #define iiv_chaltag gencomp_chaltag
688 #define iiv_chalvrf gencomp_chalvrf
689 #define iiv_freechal gencomp_freechal
691 static void iiv_freealgs(bulkalgs
*aa
)
692 { iiv_algs
*a
= (iiv_algs
*)aa
; DESTROY(a
); }
694 static void iiv_freectx(bulkctx
*bbc
)
696 iiv_ctx
*bc
= (iiv_ctx
*)bbc
;
699 for (i
= 0; i
< NDIR
; i
++) {
700 if (bc
->d
[i
].c
) GC_DESTROY(bc
->d
[i
].c
);
701 if (bc
->d
[i
].b
) GC_DESTROY(bc
->d
[i
].b
);
702 if (bc
->d
[i
].m
) GM_DESTROY(bc
->d
[i
].m
);
707 #define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, { \
708 trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \
711 static int iiv_encrypt(bulkctx
*bbc
, unsigned ty
,
712 buf
*b
, buf
*bb
, uint32 seq
)
714 iiv_ctx
*bc
= (iiv_ctx
*)bbc
;
716 gcipher
*c
= bc
->d
[DIR_OUT
].c
, *blkc
= bc
->d
[DIR_OUT
].b
;
717 const octet
*p
= BCUR(b
);
718 size_t sz
= BLEFT(b
);
719 octet
*qmac
, *qseq
, *qpk
;
721 size_t tagsz
= bc
->tagsz
;
724 assert(c
); assert(blkc
);
725 ivsz
= GC_CLASS(c
)->blksz
;
726 blkcsz
= GC_CLASS(blkc
)->blksz
;
728 /* --- Determine the ciphertext layout --- */
730 if (buf_ensure(bb
, tagsz
+ SEQSZ
+ sz
)) return (0);
731 qmac
= BCUR(bb
); qseq
= qmac
+ tagsz
; qpk
= qseq
+ SEQSZ
;
732 BSTEP(bb
, tagsz
+ SEQSZ
+ sz
);
734 /* --- Store the type --- *
736 * This isn't transmitted, but it's covered by the MAC.
741 /* --- Store the sequence number --- */
745 /* --- Establish an initialization vector if necessary --- */
748 memset(buf_u
, 0, blkcsz
- SEQSZ
);
749 memcpy(buf_u
+ blkcsz
- SEQSZ
, qseq
, SEQSZ
);
750 TRACE_PRESEQ(buf_u
, ivsz
);
751 GC_ENCRYPT(blkc
, buf_u
, buf_u
, blkcsz
);
753 TRACE_IV(buf_u
, ivsz
);
756 /* --- Encrypt the packet --- */
758 GC_ENCRYPT(c
, p
, qpk
, sz
);
761 /* --- Compute a MAC over type, sequence number, and ciphertext --- */
764 h
= GM_INIT(bc
->d
[DIR_OUT
].m
);
765 GH_HASH(h
, t
, sizeof(t
));
766 GH_HASH(h
, qseq
, SEQSZ
+ sz
);
767 memcpy(qmac
, GH_DONE(h
, 0), tagsz
);
769 TRACE_MAC(qmac
, tagsz
);
772 /* --- We're done --- */
777 static int iiv_decrypt(bulkctx
*bbc
, unsigned ty
,
778 buf
*b
, buf
*bb
, uint32
*seq
)
780 iiv_ctx
*bc
= (iiv_ctx
*)bbc
;
781 const octet
*pmac
, *pseq
, *ppk
;
782 size_t psz
= BLEFT(b
);
786 gcipher
*c
= bc
->d
[DIR_IN
].c
, *blkc
= bc
->d
[DIR_IN
].b
;
788 size_t tagsz
= bc
->tagsz
;
791 assert(c
); assert(blkc
);
792 ivsz
= GC_CLASS(c
)->blksz
;
793 blkcsz
= GC_CLASS(blkc
)->blksz
;
795 /* --- Break up the packet into its components --- */
797 if (psz
< SEQSZ
+ tagsz
) {
798 T( trace(T_KEYSET
, "keyset: block too small for keyset"); )
799 return (KSERR_MALFORMED
);
801 sz
= psz
- SEQSZ
- tagsz
;
802 pmac
= BCUR(b
); pseq
= pmac
+ tagsz
; ppk
= pseq
+ SEQSZ
;
805 /* --- Verify the MAC on the packet --- */
808 h
= GM_INIT(bc
->d
[DIR_IN
].m
);
809 GH_HASH(h
, t
, sizeof(t
));
810 GH_HASH(h
, pseq
, SEQSZ
+ sz
);
811 CHECK_MAC(h
, pmac
, tagsz
);
814 /* --- Decrypt the packet --- */
817 memset(buf_u
, 0, blkcsz
- SEQSZ
);
818 memcpy(buf_u
+ blkcsz
- SEQSZ
, pseq
, SEQSZ
);
819 TRACE_PRESEQ(buf_u
, ivsz
);
820 GC_ENCRYPT(blkc
, buf_u
, buf_u
, blkcsz
);
822 TRACE_IV(buf_u
, ivsz
);
824 GC_DECRYPT(c
, ppk
, q
, sz
);
826 /* --- Finished --- */
833 /*----- The AEAD transform ------------------------------------------------*
835 * This transform uses a general authenticated encryption scheme. Processing
836 * additional authenticated data isn't needed for encrypting messages, but it
837 * is required for challenge generation. Good options include `chacha20-
838 * poly1305' or `rijndael-ocb3'; alas, `salsa20-naclbox' isn't acceptable.
840 * To be acceptable, the scheme must accept at least a 40-bit nonce. (All of
841 * Catacomb's current AEAD schemes are suitable in this respect.) The low 32
842 * bits are the sequence number. The type is written to the next 8--32
843 * bytes: if the nonce size is 64 bits or more (preferred, for compatibility
844 * reasons) then the type is written as 32 bits, and the remaining space is
845 * padded with zero bytes; otherwise, the type is right-aligned in the
846 * remaining space. Both fields are big-endian.
863 * +--------+--------+---...---+
865 * +--------+--------+---...---+
868 * The ciphertext is formatted as
870 * +---...---+--------+------...------+
871 * | tag | seq | ciphertext |
872 * +---...---+--------+------...------+
875 * Challenge tags are calculated by encrypting the message, using the
876 * sequence number as a nonce (as a big-endian integer, padding with leading
877 * zeroes as needed to fill the space), and discarding the ciphertext.
879 * +---...---+--------+ +-----...------+
880 * | 0 | seq | | message |
881 * +---...---+--------+ +-----...------+
885 #define AEAD_NONCEMAX 64
887 typedef struct aead_algs
{
890 size_t ksz
, nsz
, tsz
;
893 typedef struct aead_ctx
{
895 struct { gaead_key
*k
; } d
[NDIR
];
899 static bulkalgs
*aead_getalgs(const algswitch
*asw
, dstr
*e
,
900 key_file
*kf
, key
*k
)
902 aead_algs
*a
= CREATE(aead_algs
);
910 /* --- Collect the selected cipher and check that it's supported --- */
912 p
= key_getattr(kf
, k
, "cipher"); if (!p
) p
= "rijndael-ocb3";
913 a
->c
= gaead_byname(p
);
914 if (!a
->c
) { a_format(e
, "unknown-cipher", "%s", p
, A_END
); goto fail
; }
915 if (a
->c
->f
&AEADF_NOAAD
) {
916 a_format(e
, "unsuitable-aead-cipher", "%s", p
, "no-aad", A_END
);
919 a
->nsz
= keysz_pad(8, a
->c
->noncesz
);
920 if (!a
->nsz
) a
->nsz
= keysz_pad(5, a
->c
->noncesz
);
922 a_format(e
, "unsuitable-aead-cipher", "%s", p
, "nonce-too-small", A_END
);
924 } else if (a
->nsz
> AEAD_NONCEMAX
) {
925 a_format(e
, "unsuitable-aead-cipher", "%s", p
, "nonce-too-large", A_END
);
929 /* --- Collect the selected MAC, and check the tag length --- *
931 * Of course, there isn't a separate MAC, so only accept `aead'.
934 p
= key_getattr(kf
, k
, "tagsz");
936 p
= key_getattr(kf
, k
, "mac");
938 else if (strncmp(p
, "aead", 4) != 0 || (p
[4] && p
[4] != '/'))
939 { a_format(e
, "unknown-mac", "%s", p
, A_END
); goto fail
; }
940 else if (p
[4] == '/') p
+= 5;
944 a
->tsz
= keysz(0, a
->c
->tagsz
);
946 n
= strtoul(p
, &qq
, 0);
948 a_format(e
, "bad-tag-length-string", "%s", p
, A_END
);
951 if (n
%8 || (a
->tsz
= keysz(n
/8, a
->c
->tagsz
)) == 0)
952 { a_format(e
, "bad-tag-length", "%lu", n
, A_END
); goto fail
; }
955 /* --- Check that an empty message gives an empty ciphertext --- *
957 * This is necessary for producing challenges. If the overhead is zero
958 * then we're fine; otherwise, we have to check the hard way.
962 ksz
= keysz(0, a
->c
->keysz
);
963 memset(buf_t
, 0, ksz
> a
->nsz ? ksz
: a
->nsz
);
964 kk
= GAEAD_KEY(a
->c
, buf_t
, ksz
);
965 if (gaead_encrypt(kk
, buf_t
, a
->nsz
,
970 a_format(e
, "unsuitable-aead-cipher", "%s", a
->c
->name
,
971 "nonempty-ciphertext-for-empty-message", A_END
);
974 GAEAD_DESTROY(kk
); kk
= 0;
979 if (kk
) GAEAD_DESTROY(kk
);
985 static void aead_tracealgs(const bulkalgs
*aa
)
987 const aead_algs
*a
= (const aead_algs
*)aa
;
989 trace(T_CRYPTO
, "crypto: cipher = %s", a
->c
->name
);
990 trace(T_CRYPTO
, "crypto: noncesz = %lu", (unsigned long)a
->nsz
);
991 trace(T_CRYPTO
, "crypto: tagsz = %lu", (unsigned long)a
->tsz
);
995 static int aead_checkalgs(bulkalgs
*aa
, const algswitch
*asw
, dstr
*e
)
997 aead_algs
*a
= (aead_algs
*)aa
;
999 if ((a
->ksz
= keysz(asw
->hashsz
, a
->c
->keysz
)) == 0) {
1000 a_format(e
, "cipher", "%s", a
->c
->name
,
1001 "no-key-size", "%lu", (unsigned long)asw
->hashsz
,
1008 static int aead_samealgsp(const bulkalgs
*aa
, const bulkalgs
*bb
)
1010 const aead_algs
*a
= (const aead_algs
*)aa
,
1011 *b
= (const aead_algs
*)bb
;
1012 return (a
->c
== b
->c
&& a
->tsz
== b
->tsz
);
1015 static void aead_alginfo(const bulkalgs
*aa
, admin
*adm
)
1017 const aead_algs
*a
= (const aead_algs
*)aa
;
1018 a_info(adm
, "cipher=%s", a
->c
->name
,
1019 "cipher-keysz=%lu", (unsigned long)a
->ksz
,
1021 a_info(adm
, "mac=aead", "mac-tagsz=%lu", (unsigned long)a
->tsz
, A_END
);
1024 static size_t aead_overhead(const bulkalgs
*aa
)
1026 const aead_algs
*a
= (const aead_algs
*)aa
;
1027 return (a
->tsz
+ SEQSZ
+ a
->c
->ohd
);
1030 static size_t aead_expsz(const bulkalgs
*aa
)
1032 const aead_algs
*a
= (const aead_algs
*)aa
;
1033 return (a
->c
->blksz
< 16 ?
MEG(64) : MEG(2048));
1036 static bulkctx
*aead_genkeys(const bulkalgs
*aa
, const deriveargs
*da
)
1038 const aead_algs
*a
= (const aead_algs
*)aa
;
1039 aead_ctx
*bc
= CREATE(aead_ctx
);
1043 for (i
= 0; i
< NDIR
; i
++) {
1044 if (!(da
->f
&(1 << i
))) { bc
->d
[i
].k
= 0; continue; }
1045 derivekey(k
, a
->ksz
, da
, i
, "encryption");
1046 bc
->d
[i
].k
= GAEAD_KEY(a
->c
, k
, a
->ksz
);
1048 bc
->nsz
= a
->nsz
; bc
->tsz
= a
->tsz
;
1052 typedef struct aead_chal
{
1057 static bulkchal
*aead_genchal(const bulkalgs
*aa
)
1059 const aead_algs
*a
= (const aead_algs
*)aa
;
1060 aead_chal
*c
= CREATE(aead_chal
);
1061 rand_get(RAND_GLOBAL
, buf_t
, a
->ksz
);
1062 c
->k
= GAEAD_KEY(a
->c
, buf_t
, a
->ksz
);
1063 IF_TRACING(T_CHAL
, {
1064 trace(T_CHAL
, "chal: generated new challenge key");
1065 trace_block(T_CRYPTO
, "chal: new key", buf_t
, a
->ksz
);
1067 c
->_b
.tagsz
= a
->tsz
;
1071 static int aead_chaltag(bulkchal
*bc
, const void *m
, size_t msz
,
1072 uint32 seq
, void *t
)
1074 aead_chal
*c
= (aead_chal
*)bc
;
1075 octet b
[AEAD_NONCEMAX
];
1076 size_t nsz
= keysz_pad(4, c
->k
->ops
->c
->noncesz
);
1080 assert(nsz
); assert(nsz
<= sizeof(b
));
1081 memset(b
, 0, nsz
- 4); STORE32(b
+ nsz
- 4, seq
);
1082 rc
= gaead_encrypt(c
->k
, b
, nsz
, m
, msz
, 0, 0,
1083 buf_t
, &csz
, t
, c
->_b
.tagsz
);
1088 static int aead_chalvrf(bulkchal
*bc
, const void *m
, size_t msz
,
1089 uint32 seq
, const void *t
)
1091 aead_chal
*c
= (aead_chal
*)bc
;
1092 octet b
[AEAD_NONCEMAX
];
1093 size_t nsz
= keysz(4, c
->k
->ops
->c
->noncesz
);
1097 assert(nsz
); assert(nsz
<= sizeof(b
));
1098 memset(b
, 0, nsz
- 4); STORE32(b
+ nsz
- 4, seq
);
1099 rc
= gaead_decrypt(c
->k
, b
, nsz
, m
, msz
, 0, 0,
1100 buf_t
, &psz
, t
, c
->_b
.tagsz
);
1102 return (rc
== 1 ?
0 : -1);
1105 static void aead_freechal(bulkchal
*bc
)
1106 { aead_chal
*c
= (aead_chal
*)bc
; GAEAD_DESTROY(c
->k
); DESTROY(c
); }
1108 static void aead_freealgs(bulkalgs
*aa
)
1109 { aead_algs
*a
= (aead_algs
*)aa
; DESTROY(a
); }
1111 static void aead_freectx(bulkctx
*bbc
)
1113 aead_ctx
*bc
= (aead_ctx
*)bbc
;
1116 for (i
= 0; i
< NDIR
; i
++) { if (bc
->d
[i
].k
) GAEAD_DESTROY(bc
->d
[i
].k
); }
1120 static void aead_fmtnonce(aead_ctx
*bc
, octet
*n
, uint32 seq
, unsigned ty
)
1122 assert(bc
->nsz
<= AEAD_NONCEMAX
); assert(ty
<= 255);
1125 case 5: STORE8(n
+ SEQSZ
, ty
); break;
1126 case 6: STORE16(n
+ SEQSZ
, ty
); break;
1127 case 7: STORE24(n
+ SEQSZ
, ty
); break;
1128 default: memset(n
+ 8, 0, bc
->nsz
- 8); /* and continue */
1129 case 8: STORE32(n
+ SEQSZ
, ty
); break;
1131 TRACE_IV(n
, bc
->nsz
);
1134 static int aead_encrypt(bulkctx
*bbc
, unsigned ty
,
1135 buf
*b
, buf
*bb
, uint32 seq
)
1137 aead_ctx
*bc
= (aead_ctx
*)bbc
;
1138 const octet
*p
= BCUR(b
);
1139 gaead_key
*k
= bc
->d
[DIR_OUT
].k
;
1140 size_t sz
= BLEFT(b
);
1141 size_t csz
= sz
+ k
->ops
->c
->ohd
;
1142 octet
*qmac
, *qseq
, *qpk
;
1143 octet n
[AEAD_NONCEMAX
];
1148 if (buf_ensure(bb
, bc
->tsz
+ SEQSZ
+ csz
)) return (0);
1149 qmac
= BCUR(bb
); qseq
= qmac
+ bc
->tsz
; qpk
= qseq
+ SEQSZ
;
1152 aead_fmtnonce(bc
, n
, seq
, ty
);
1153 rc
= gaead_encrypt(k
, n
, bc
->nsz
, 0, 0, p
, sz
, qpk
, &csz
, qmac
, bc
->tsz
);
1155 BSTEP(bb
, bc
->tsz
+ SEQSZ
+ csz
);
1157 TRACE_MAC(qmac
, bc
->tsz
);
1162 static int aead_decrypt(bulkctx
*bbc
, unsigned ty
,
1163 buf
*b
, buf
*bb
, uint32
*seq_out
)
1165 aead_ctx
*bc
= (aead_ctx
*)bbc
;
1166 gaead_key
*k
= bc
->d
[DIR_IN
].k
;
1167 const octet
*pmac
, *pseq
, *ppk
;
1169 size_t psz
= BLEFT(b
);
1171 octet
*q
= BCUR(bb
);
1172 octet n
[AEAD_NONCEMAX
];
1177 if (psz
< bc
->tsz
+ SEQSZ
) {
1178 T( trace(T_KEYSET
, "keyset: block too small for keyset"); )
1179 return (KSERR_MALFORMED
);
1181 sz
= psz
- bc
->tsz
- SEQSZ
;
1182 pmac
= BCUR(b
); pseq
= pmac
+ bc
->tsz
; ppk
= pseq
+ SEQSZ
;
1185 aead_fmtnonce(bc
, n
, seq
, ty
);
1186 rc
= gaead_decrypt(k
, n
, bc
->nsz
, 0, 0, ppk
, sz
, q
, &sz
, pmac
, bc
->tsz
);
1188 if (!rc
) { TRACE_MACERR(pmac
, bc
->tsz
); return (KSERR_DECRYPT
); }
1195 /*----- The NaCl box transform --------------------------------------------*
1197 * This transform is very similar to the NaCl `crypto_secretbox' transform
1198 * described in Bernstein, `Cryptography in NaCl', with the difference that,
1199 * rather than using XSalsa20, we use either Salsa20/r or ChaChar, because we
1200 * have no need of XSalsa20's extended nonce. The default cipher is Salsa20.
1202 * Salsa20 and ChaCha accept a 64-bit nonce. The low 32 bits are the
1203 * sequence number, and the high 32 bits are the type, both big-endian.
1205 * +--------+--------+
1207 * +--------+--------+
1210 * A stream is generated by concatenating the raw output blocks generated
1211 * with this nonce and successive counter values starting from zero. The
1212 * first 32 bytes of the stream are used as a key for Poly1305: the first 16
1213 * bytes are the universal hash key r, and the second 16 bytes are the mask
1216 * +------+------+ +------...------+
1217 * | r | s | | keystream |
1218 * +------+------+ +------...------+
1221 * The remainder of the stream is XORed with the incoming plaintext to form a
1222 * ciphertext with the same length. The ciphertext (only) is then tagged
1223 * using Poly1305. The tag, sequence number, and ciphertext are concatenated
1224 * in this order, and transmitted.
1227 * +---...---+------+------...------+
1228 * | tag | seq | ciphertext |
1229 * +---...---+------+------...------+
1232 * Note that there is no need to authenticate the type separately, since it
1233 * was used to select the cipher nonce, and hence the Poly1305 key. The
1234 * Poly1305 tag length is fixed.
1236 * Challenge formation is rather tricky. We can't use Poly1305 directly
1237 * because we need a random mask. So we proceed as follows. The challenge
1238 * generator has a Salsa20 or ChaCha key. The sequence number is used as the
1239 * Salsa20 message number/nonce, padded at the start with zeroes to form,
1240 * effectively, a 64-bit big-endian integer.
1242 * +--------+--------+
1244 * +--------+--------+
1247 * 256 bits (32 bytes) of keystream are generated and used as a Poly1305 hash
1248 * key r and mask s. These are then used to hash the message, and the
1249 * resulting tag is the challenge.
1252 typedef struct naclbox_algs
{
1257 static bulkalgs
*naclbox_getalgs(const algswitch
*asw
, dstr
*e
,
1258 key_file
*kf
, key
*k
)
1260 naclbox_algs
*a
= CREATE(naclbox_algs
);
1265 /* --- Collect the selected cipher and check that it's supported --- */
1267 p
= key_getattr(kf
, k
, "cipher");
1268 if (!p
|| strcmp(p
, "salsa20") == 0)
1269 { a
->_b
.c
= &salsa20_naclbox
; a
->c
= &salsa20
; }
1270 else if (strcmp(p
, "salsa20/12") == 0)
1271 { a
->_b
.c
= &salsa2012_naclbox
; a
->c
= &salsa2012
; }
1272 else if (strcmp(p
, "salsa20/8") == 0)
1273 { a
->_b
.c
= &salsa208_naclbox
; a
->c
= &salsa208
; }
1274 else if (strcmp(p
, "chacha20") == 0)
1275 { a
->_b
.c
= &chacha20_naclbox
; a
->c
= &chacha20
; }
1276 else if (strcmp(p
, "chacha12") == 0)
1277 { a
->_b
.c
= &chacha12_naclbox
; a
->c
= &chacha12
; }
1278 else if (strcmp(p
, "chacha8") == 0)
1279 { a
->_b
.c
= &chacha8_naclbox
; a
->c
= &chacha8
; }
1281 a_format(e
, "unknown-cipher", "%s", p
, A_END
);
1286 /* --- Collect the selected MAC, and check the tag length --- */
1288 p
= key_getattr(kf
, k
, "mac");
1291 else if (strncmp(p
, "poly1305", 8) != 0 || (p
[8] && p
[8] != '/')) {
1292 a_format(e
, "unknown-mac", "%s", p
, A_END
);
1294 } else if (p
[8] == '/') {
1295 n
= strtoul(p
+ 9, &qq
, 0);
1297 a_format(e
, "bad-tag-length-string", "%s", p
+ 9, A_END
);
1301 a_format(e
, "bad-tag-length", "%lu", n
, A_END
);
1314 static void naclbox_tracealgs(const bulkalgs
*aa
)
1316 const naclbox_algs
*a
= (const naclbox_algs
*)aa
;
1318 trace(T_CRYPTO
, "crypto: cipher = %s", a
->c
->name
);
1319 trace(T_CRYPTO
, "crypto: mac = poly1305/128");
1323 #define naclbox_checkalgs aead_checkalgs
1324 #define naclbox_samealgsp aead_samealgsp
1326 static void naclbox_alginfo(const bulkalgs
*aa
, admin
*adm
)
1328 const naclbox_algs
*a
= (const naclbox_algs
*)aa
;
1329 a_info(adm
, "cipher=%s", a
->c
->name
, "cipher-keysz=32", A_END
);
1330 a_info(adm
, "mac=poly1305", "mac-tagsz=16", A_END
);
1333 #define naclbox_overhead aead_overhead
1334 #define naclbox_expsz aead_expsz
1335 #define naclbox_genkeys aead_genkeys
1337 typedef struct naclbox_chal
{
1342 static bulkchal
*naclbox_genchal(const bulkalgs
*aa
)
1344 const naclbox_algs
*a
= (const naclbox_algs
*)aa
;
1345 naclbox_chal
*c
= CREATE(naclbox_chal
);
1346 rand_get(RAND_GLOBAL
, buf_t
, a
->_b
.ksz
);
1347 c
->c
= GC_INIT(a
->c
, buf_t
, a
->_b
.ksz
);
1348 IF_TRACING(T_CHAL
, {
1349 trace(T_CHAL
, "chal: generated new challenge key");
1350 trace_block(T_CRYPTO
, "chal: new key", buf_t
, a
->_b
.ksz
);
1352 c
->_b
.tagsz
= POLY1305_TAGSZ
;
1356 static int naclbox_chaltag(bulkchal
*bc
, const void *m
, size_t msz
,
1357 uint32 seq
, void *t
)
1359 naclbox_chal
*c
= (naclbox_chal
*)bc
;
1362 octet b
[POLY1305_KEYSZ
+ POLY1305_MASKSZ
];
1364 STATIC_ASSERT(SALSA20_NONCESZ
<= sizeof(b
), "Need more space for nonce");
1366 memset(b
, 0, SALSA20_NONCESZ
- 4); STORE32(b
+ SALSA20_NONCESZ
- 4, seq
);
1367 GC_SETIV(c
->c
, b
); GC_ENCRYPT(c
->c
, 0, b
, sizeof(b
));
1368 poly1305_keyinit(&pk
, b
, POLY1305_KEYSZ
);
1369 poly1305_macinit(&pm
, &pk
, b
+ POLY1305_KEYSZ
);
1370 if (msz
) poly1305_hash(&pm
, m
, msz
);
1371 poly1305_done(&pm
, t
);
1375 static int naclbox_chalvrf(bulkchal
*bc
, const void *m
, size_t msz
,
1376 uint32 seq
, const void *t
)
1378 naclbox_chal
*c
= (naclbox_chal
*)bc
;
1381 octet b
[POLY1305_KEYSZ
+ POLY1305_MASKSZ
];
1383 STATIC_ASSERT(SALSA20_NONCESZ
<= sizeof(b
), "Need more space for nonce");
1384 STATIC_ASSERT(POLY1305_TAGSZ
<= sizeof(b
), "Need more space for tag");
1386 memset(b
, 0, SALSA20_NONCESZ
- 4); STORE32(b
+ SALSA20_NONCESZ
- 4, seq
);
1387 GC_SETIV(c
->c
, b
); GC_ENCRYPT(c
->c
, 0, b
, sizeof(b
));
1388 poly1305_keyinit(&pk
, b
, POLY1305_KEYSZ
);
1389 poly1305_macinit(&pm
, &pk
, b
+ POLY1305_KEYSZ
);
1390 if (msz
) poly1305_hash(&pm
, m
, msz
);
1391 poly1305_done(&pm
, b
);
1392 return (ct_memeq(t
, b
, POLY1305_TAGSZ
) ?
0 : -1);
1395 static void naclbox_freechal(bulkchal
*bc
)
1396 { naclbox_chal
*c
= (naclbox_chal
*)bc
; GC_DESTROY(c
->c
); DESTROY(c
); }
1398 static void naclbox_freealgs(bulkalgs
*aa
)
1399 { naclbox_algs
*a
= (naclbox_algs
*)aa
; DESTROY(a
); }
1401 #define naclbox_freectx aead_freectx
1402 #define naclbox_encrypt aead_encrypt
1403 #define naclbox_decrypt aead_decrypt
1405 /*----- Bulk crypto transform table ---------------------------------------*/
1407 const bulkops bulktab
[] = {
1411 #define BULK(name, pre) \
1412 { name, pre##_getalgs, T( pre##_tracealgs COMMA ) \
1413 pre##_checkalgs, pre##_samealgsp, \
1414 pre##_alginfo, pre##_overhead, pre##_expsz, \
1415 pre##_genkeys, pre##_genchal, pre##_freealgs, \
1416 pre##_encrypt, pre##_decrypt, pre##_freectx, \
1417 pre##_chaltag, pre##_chalvrf, pre##_freechal }
1422 BULK("naclbox", naclbox
),
1428 /*----- That's all, folks -------------------------------------------------*/